I've been reading all the documentation on hardening my system against Spectre / Meltdown and being quite overwhelmed, I'm timing out to formulate a sensible execution plan to fix this finally. Or if this ends up being out of my league, just wait until I get a newer machine and/or the next Mint release.
It seems my Mint 18 setup needs kernel version 4.4.0-116.
I'm not entirely clear on how to implement every available fix and have many questions since all the lingo in the Spectre/Meltdown wiki is Greek/GEEK to me.
Thank you very much!
1) Will compiling kernels become a regular chore for me?
I intend to test kernel 4.4.0-116 with Linux Mint 18 Mate 64. Will Mint 19 ship with an attack resistant kernel? When newer resistant hardware is available will that eliminate the need to custom compile the kernel?
For now it looks like, per my system specs, I need to compile with retpoline, so unfortunately it seems until I get a newer machine I'll need to compile my own kernels. If the case, then I'm a little concerned I'm getting in over my head and hoping I don't run into any snags and it's smooth and easy. Also, I'm guessing I'll need to recompile the kernel every time there's an update to it, so I'm hoping there's a way to, perhaps, receive e-mail alerts when new kernel updates are available? ( As opposed to constantly checking the website and hoping I didn't miss any updates. )
2) Compiling with retpoline and hardening userspace:
According to https://github.com/NixOS/nixpkgs/issues/34383 , I need "CONFIG_RETPOLINE enabled" ( is that a boot / kernel parameter / is there a difference? ) and a "compiler that supports -mindirect-branch=thunk-extern", which links to https://git.kernel.org/pub/scm/linux/ke ... 74b3ad147d , apparently some kind of retpoline compiler.
Assuming I have no problems setting the parameter, and I figure out what to do with all that code in that compiler, then I still need to apply retpoline to userspace, right? Is userspace hardening something that developer alone do or users too? I hear Mozilla has implemented retpoline in Firefox application. If there's something I need to do so that all applications are hardened what would that be? ( Just having retpoline-compiled kernel doesn't protect userspace, AFAIK. )
On https://wiki.ubuntu.com/SecurityTeam/Kn ... wn/TechFAQ what is meant by: "While PCID support was only included in the upstream 4.14 kernel, it has been backported along with the KPTI patchset as part of the kernel updates in the Meltdown USNs issued on Jan 9." Where does the 4.4.0-116 kernel stand regarding this feature?
On https://wiki.ubuntu.com/SecurityTeam/Kn ... wn/TechFAQ what is meant by: "Virtual machines can't use these optimisations unless the hypervisor exposes the CPU's PCID and INVPCID features. If the VM is running with an updated kernel, KPTI will still be active and the VMs will be secure, but they will experience seriously degraded performance until the hypervisor is updated to expose them." First, does this affect Docker or Virtualbox? Second, what is meant by 'updating' the hypervisor? Does that just mean whoever is maintaining the hypervisor packages has to release an update / patch?
Variant 2 requires firmware update. Will Mint handle firmware updates or should I install them from Intel? Also, can firmware update could trigger system instability or performance problems?
5) Kernel parameter-related:
Variant 4 requires booting with with spec_store_bypass_disable=seccomp kernel parameter to mitigate variant 4. Could this trigger instability or a performance hit? And how do I boot with this parameter? I searched for half an hour and couldn't find the solution. Do I simply add it to /boot/config-########-generic?
6) Testing kernel on a VM:
I read it may be beneficial to setup a VM for kernel testing; What VM application would be best suited for virtualizing Mint? I'm happy with VirtualBox but curious about KVM, if anyone has a preference. I need to know that my test is a reliable predictor of how the OS will work on the real system. With any luck the VM will talk to my hardware exactly the same as if a real machine!
I thought I'd attach Firmware installation instructions from Intel for everyone's convenience if you're attempting to fix spectre/meltdown as well:
-----Loading microcode using the initrd method is recommended so that the microcode is loaded at the earliest time for best coverage. Systems that cannot
tolerate downtime may use the late reload method to update a running system without a reboot.
To update early loading initrd, consult your Linux distributor on how to package microcode files for early loading. Some Linux distributions use
update-initramfs or dracut. As recommended above, please use the OS vendors are recommended method to ensure microcode file is updated for early
loading before attempting the late-load procedure below.
To update the intel-ucode package to the system, one need:
1. Ensure the existence of /sys/devices/system/cpu/microcode/reload
2. Copy intel-ucode directory to /lib/firmware, overwrite the files in
3. Write the reload interface to 1 to reload the microcode files, e.g.
echo 1 > /sys/devices/system/cpu/microcode/reload
If you are using the OS vendor method to update microcode, the above steps may have been done automatically during the update process.
And here are instructions for compiling a kernel for your convenience ( and scrutiny-- please check for correctness ):
If you know of a better guide please let me know.1) download kernel source file from kernel.org
2) sudo apt-get install git fakeroot build-essential ncurses-dev xz-utils libssl-dev bc flex libelf-dev bison
3) tar xvzf [kernel file]; cd [kernel dir]
4) open up current parameters from /boot/config-4#######-generic
what do all the parameters do?
can we disable bluetooth device? wireless device?
add 'CONFIG_RETPOLINE enabled' parameter?
5) use 'make menuconfig' with kernel file
6) compile kernel via:
sudo make install
sudo update-initramfs -c -k [kernel version]